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Overview 

Goal  of  this  TutORial: 


Provide  a  guide  to  recent  work  using  constrained  optimization 
(along  with  models  of  system  function)  to  assess  and  improve  the 
resilience  of  (critical  infrastructure)  systems  to  disruptive  events. 


Today's  Agenda: 

a  Motivation  and  Background 
a  Modeling 
9  Algorithms 
9  Analysis  and  Insights 
9  Applications 
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History:  U.S.  Policy  on  Critical  Infrastructure 


1996  President’s  Commission  on  Critical  Infrastructure  Protection 
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History:  U.S.  Policy  on  Critical  Infrastructure 


1996  President’s  Commission  on  Critical  Infrastructure  Protection 
2001  September  11  terrorist  attacks;  USA  PATRIOT  Act 


Critical  Infrastructure 


"systems  and  assets,  whether  physical  or  virtual,  so  vital  to  the  United 
States  that  the  incapacity  or  destruction  of  such  systems  and  assets 
would  have  a  debilitating  impact  on  security,  national  economic  security, 
national  public  health  or  safety,  or  any  combination  of  those  matters" 
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History:  U.S.  Policy  on  Critical  Infrastructure 


1996  President’s  Commission  on  Critical  Infrastructure  Protection 
2001  September  11  terrorist  attacks;  USA  PATRIOT  Act 


Critical  Infrastructure 


"systems  and  assets,  whether  physical  or  virtual,  so  vital  to  the  United 
States  that  the  incapacity  or  destruction  of  such  systems  and  assets 
would  have  a  debilitating  impact  on  security,  national  economic  security, 
national  public  health  or  safety,  or  any  combination  of  those  matters" 

2002  Homeland  Security  Act  establishes  DHS  with  security  mission 

2003  Northeastern  Blackout;  Homeland  Security  Presidential  Directive 
(HSPD)-7:  "Directive  on  Critical  Infrastructure  Identification, 
Prioritization,  and  Protection”  directs  use  of  risk-based  strategies 

2004  Indonesian  tsunami 

2005  Pakistan  earthquake;  Hurricanes  Katrina  and  Rita  in  U.S. 
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History:  U.S.  Policy  on  Critical  Infrastructure  (2) 


2007  National  Strategy  for  Homeland  Security 

“We  will  not  be  able  to  deter  all  terrorist  threats,  and  it  is  impossible 
to  deter  or  prevent  natural  catastrophes.  We  can,  however,  mitigate  the 
Nation's  vulnerability  to  acts  of  terrorism,  other  man-made  threats,  and 
natural  disasters  by  ensuring  the  structural  and  operational  resilience  of 
our  critical  infrastructure  and  key  resources"  (p.27) 

“We  must  now  focus  on  the  resilience  of  the  system  as  a  whole — an 
approach  that  centers  on  investments  that  make  the  system  better  able 
to  absorb  the  impact  of  an  event  without  losing  the  capacity  to  function” 

(p.28) 
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History:  U.S.  Policy  on  Critical  Infrastructure  (2) 


2007  National  Strategy  for  Homeland  Security 

“We  will  not  be  able  to  deter  all  terrorist  threats,  and  it  is  impossible 
to  deter  or  prevent  natural  catastrophes.  We  can,  however,  mitigate  the 
Nation's  vulnerability  to  acts  of  terrorism,  other  man-made  threats,  and 
natural  disasters  by  ensuring  the  structural  and  operational  resilience  of 
our  critical  infrastructure  and  key  resources"  (p.27) 

“We  must  now  focus  on  the  resilience  of  the  system  as  a  whole — an 
approach  that  centers  on  investments  that  make  the  system  better  able 
to  absorb  the  impact  of  an  event  without  losing  the  capacity  to  function” 

(p.28) 

2008  Global  financial  crisis 

2010  Haiti  Earthquake;  Deepwater  Horizon  Oil  Spill 

2011  Fukushima  Daiichi  Nuclear  Disaster 

2012  Hurricane  Superstorm  Sandy 
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History:  U.S.  Policy  on  Critical  Infrastructure  (3) 


2013  Presidential  Policy  Directive  (PPD)-21: 

“Critical  Infrastructure  Security  and  Resilience" 

resilience  is  “the  ability  to  prepare  for  and  adapt  to  changing  conditions 
and  withstand  and  recover  rapidly  from  disruptions.  Resilience  includes 
the  ability  to  withstand  and  recover  from  deliberate  attacks,  accidents,  or 
naturally  occurring  threats  or  incidents” 
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History:  U.S.  Policy  on  Critical  Infrastructure  (3) 


2013  Presidential  Policy  Directive  (PPD)-21: 

“Critical  Infrastructure  Security  and  Resilience" 

resilience  is  “the  ability  to  prepare  for  and  adapt  to  changing  conditions 
and  withstand  and  recover  rapidly  from  disruptions.  Resilience  includes 
the  ability  to  withstand  and  recover  from  deliberate  attacks,  accidents,  or 
naturally  occurring  threats  or  incidents” 

2013  Attack  on  PG&E  Metcalf  electric  substation 

2014  Ebola  outbreak 


2013  Presidential  Policy  Directive  (PPD)-21: 

“Critical  Infrastructure  Security  and  Resilience” 

resilience  is  “the  ability  to  prepare  for  and  adapt  to  changing  conditions 
and  withstand  and  recover  rapidly  from  disruptions.  Resilience  includes 
the  ability  to  withstand  and  recover  from  deliberate  attacks,  accidents,  or 
naturally  occurring  threats  or  incidents” 

2013  Attack  on  PG&E  Metcalf  electric  substation 

2014  Ebola  outbreak 


Security  — >  Risk  — >•  Resilience 
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Contribution  in  context 


This  TutORial  builds  on  previous  work: 

o  two  classes  of  bi-level  programming  models  in  Brown  et  al. 

(2005):  attacker-defender,  defender-attacker 
9  tri-level  programming  models:  defender-attacker-defender  in 
Brown  et  al.  (2006) 

9  other  recent  treatments  of  system  interdiction  models : 

Lim  and  Smith  (2007),  Alderson  et  al.  (2011,  2013),  Wood 
(2011),  and  Dimitrov  and  Morton  (2013) 
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Contribution  in  context 


This  TutORial  builds  on  previous  work: 

a  two  classes  of  bi-level  programming  models  in  Brown  et  al. 

(2005):  attacker-defender,  defender-attacker 
a  tri-level  programming  models:  defender-attacker-defender  in 
Brown  et  al.  (2006) 

a  other  recent  treatments  of  system  interdiction  models : 

Lim  and  Smith  (2007),  Alderson  et  al.  (2011,  2013),  Wood 
(2011),  and  Dimitrov  and  Morton  (2013) 

Our  contribution  in  this  TutORial: 

Q  synthesize  the  most  essential  material  in  these  many  papers, 
Q  provide  a  step-by-step  explanation  of  how  and  why  we  build 
these  models  as  we  do, 

O  introduce  a  general  solution  technique  for  solving  them,  and 
Q  establish  connections  to  other  related  work. 
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Introduction 


Primary  Objective 


Making  critical  infrastructure  systems  and  other  large  systems 
resilient  to  a  range  of  accidents,  natural  disasters,  deliberate 
attacks,  and  other  disruptions. 
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Resilience 


9  What  is  resilience? 
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Introduction 


Primary  Objective 


Making  critical  infrastructure  systems  and  other  large  systems 
resilient  to  a  range  of  accidents,  natural  disasters,  deliberate 
attacks,  and  other  disruptions. 


Basic  Assumption 


Everything  we  propose  is  based  on  having  an  operational  model  of 
system  performance 
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Operational  Model 


Modeling  system  operation: 

a  system  components  provide  function 

9  the  operation  of  the  system  is  a  coordinated  operation  of  its 
components 

9  the  operational  setting  describes  the  working  state  of  the 
components,  and  determines  the  cost  of  operating  them 

9  the  system  design  specifies  existence  of  and  connections 
between  components,  and  determines  feasible  operation 

9  performance  is  measured  by  a  scalar  function  of  the  design, 
setting,  and  operation  of  the  system. 

Example  performance  measures:  total  shipping  cost,  barrels  of  fuel 
delivered,  total  vehicle-hours  of  commuting  traffic,  megawatt- hours 
of  power  shed  (not  delivered),  total  weighted  rewards  for  delivering 
medical  supplies. 
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Optimizing  System  Performance 


Using  an  operational  model  to  determine  a  maximum-performance 
operation  of  the  system: 

z*  =  max  f(w,x,y ) 

yeV(w) 
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Optimizing  System  Performance 


Using  an  operational  model  to  determine  a  maximum-performance 
operation  of  the  system: 

z*  =  max  f(w,x,y ) 
yGY(w) 


a  f(-)  measures  system  performance 
a  w  is  the  design  of  the  system 
a  x  is  the  operational  setting 

aye  Y(w)  indicates  activities  y  depend  on  design  w 
y*  is  an  optimal  way  to  operate  the  system  for  design  w  under 
operational  setting  x,  and  results  in  performance  z* . 
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Example  Infrastructure:  Russian  Rail  Network 


Soviet  Rail  system,  c.1955  (from  Alderson  et  al.  (2013),  adapted 
from  Harris  and  Ross  (1955)).  Capacities  in  1,000s  of  tons.  Max 
s-t  flow  is  163,000  tons. 
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Events,  Disruptions,  and  Resilience 


Building  a  model  of  system  operation: 

a  an  event  is  a  change  to  the  operational  setting 
a  the  consequence  of  an  event  is  the  change  in  system 
performance  resulting  from  that  event 
a  a  disruption  is  an  event  that  hurts  performance 
a  the  resilence  of  the  system  to  an  event  is  quantified  by  the 
consequence  resulting  from  the  event;  designs  that  have  lower 
consequence  to  an  event  are  more  resilient  to  it 
a  system  resilience  to  a  specific  set  of  events  is  measured  by  a 
scalar  function  of  the  resilence  of  the  system  to  each  of  the 
events  in  the  set. 

Examples  of  disruptive  events:  Port  of  Long  Beach  closed  by  oil 
spill,  explosion  destroys  two  collocated  pipes,  flooding  closes  all 
New  Orleans  roads  below  sea  level,  three  electrical  substations  are 
shut  down  by  snipers,  two  key  hospitals  placed  under  complete 
quarantine  from  rampant  infections. 
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Modeling  and  Analysis  Script 


1.  Formulate  Operator  Model:  operational  model  that 
determines  optimal  system  operation  and  performance, 

2.  Define  set  of  events  and  identify  how  each  event  modifies 
operational  setting, 

3.  Modify  Operator  Model:  include  events  and  their  impact  on 
operational  setting, 

4.  Formulate  bi-level  Attacker  Model:  identify  worst-case  events 
that  minimize  optimal  performance, 

5.  Define  design  decisions  that  change  the  feasible  operation  of 
the  system, 

6.  Modify  Operator  and  Attacker  Models:  include  design  and  its 
effect  on  operations, 

7.  Formulate  tri-level  Defender  Model:  choose  best  design  in 
anticipation  of  a  worst-case  event. 
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Example  Applications:  Operator  Models 


Electric  power  transmission  grid 

Highway  network 

Undersea  comms  cables 

System 

components 

Generators:  buses;  transmission 

lines;  transformers;  substations 

Road  segments;  tunnels; 

bridges;  interchanges 

Landing  stations;  branching 

units;  repeaters;  fiber-optic 
cables  ( "links" ) 

System 

configuration 

Inter-component  connections; 

line  thermal  capacities; 
generating  capacities 

Inter-component 

connections;  component 
lengths,  capacities,  and 
speed  limits 

Inter-component 

connections;  router 
capacities;  link  capacities 

Relevant 

operating 

environment 

During  one  or  more  weekday 

time  periods:  generation  costs; 
customer  classes;  load-shedding 
costs;  demands  at  each  bus 

During  one  or  more  peak 

travel  periods:  demands  for 
vehicular  travel  between 
origin-destination  pairs 

During  one  or  more  periods 

of  high  demand:  user 
requirements  for  end-to-end 
communications 

Operator 

Independent  bystem  Operator 

makes  centralized,  near-real-time 
generating  decisions  to  balance 
supply  with  demand 

Drivers  select  routes  in  a 

decentralized  but  "smart" 
fashion  (implicitly  following 
the  tenets  of  game-theoretic, 
equilibrium  model) 

Undersea  Cable  Operator 

establishes  end-to-end 
"lightpath"  connections,  and 
"grooms"  network  traffic 
(e.g.,  Zhu  and  Mukherjee, 
2002) 

Operator's 

model 

A  DC  optimal  power-flow 

model”  (a  linear  program)  that 
system  operators  use  to  optimize 
generation  to  meet  demands 
(e.g.,  Wood  and  Wollenberg, 

1996,  pp. 108-111) 

A  trathc-equilibrium  model 

(solved  as  a  nonlinear 
program)  for 

origin-destination  routing 
decisions  and  travel  times 
(e.g.,  Beckmann  et  al.,  1956) 

A  multicommodity 

transportation  model  to 
route  customer  traffic  (e.g., 
Mukherjee  et  al.,  1996) 

System 

performance 

metric 

Minimize:  generation  costs  plus 

the  economic  cost  of  unserved 
demand  over  the  course  of  a 
typical  work  day  (e.g.,  Salmeron 
et  al.,  2004) 

Minimize:  average  travel 

time  during  for  network  users 
during  a  peak  commute 
period 

Minimize:  traffic  delays  and 

shortage  penalties  for  unmet 
end-to-end  traffic  demands 
(e.g.,  Crain,  2012) 
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Example  Applications:  Attacker  and  Defender  Models 


Electric  power  transmission  grid 

Highway  network 

Undersea  comms  cables 

Operator's 

model 

A  “DC  optimal  power-flow 

model"  (a  linear  program)  that 
system  operators  use  to 
optimize  generation  to  meet 
demands  (e.g.,  Wood  and 
Wollenberg,  1996,  pp. 108-111) 

A  traffic-equilibrium  model 

(solved  as  a  nonlinear 
program)  for 
origin-destination  routing 
decisions  and  travel  times 
(e.g.,  Beckmann  et  al., 

1956) 

A  multicommodity 

transportation  model  to 
route  customer  traffic 
(e.g.,  Mukherjee  et  al., 

1996) 

System 

performance 

metric 

Minimize:  generation  costs  plus 
the  economic  cost  of  unserved 
demand  over  the  course  of  a 
typical  work  day  (e.g., 

Salmeron  et  al.,  2004) 

Minimize:  average  travel 
time  during  for  network 
users  during  a  peak 
commute  period 

Minimize:  traffic  delays 
and  shortage  penalties  for 
unmet  end-to-end  traffic 
demands  (e.g.,  Crain, 

2012) 

Attacks  on 
components 

Generators,  buses,  etc., 

damaged  or  destroyed  by 
explosives,  gunfire,  etc. 

Road  segments,  tunnels, 

etc.,  damaged  or  destroyed 
by  explosives,  burning 
liquids,  etc. 

Cables  severed  by  accident, 

natural  disaster,  or 
deliberate  attack;  landing 
stations  attacked 

Design 

(defenses) 

Offset  fencing  at  substations; 
physical  or  electro-magnetic 
shielding;  surplus  component 
capacity  (e.g.,  new  generators, 
upgraded  transmission  lines) 

Vehicle  inspections  at 

bridge  entrances;  structural 
reinforcement;  increased 
police  patrols;  surplus 
component  capacity  (e.g., 
new  bridges,  widened 
roads) 

Construction  of  addtional 

redundant  pathways; 
Enhanced  physical  security 
at  landing  stations 
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Modeling  and  Analysis  Script 


1.  Formulate  Operator  Model:  operational  model  that 
determines  optimal  system  operation  and  performance, 

2.  Define  set  of  events  and  identify  how  each  event  modifies 
operational  setting, 

3.  Modify  Operator  Model:  include  events  and  their  impact  on 
operational  setting, 

4.  Formulate  bi-level  Attacker  Model:  identify  worst-case  events 
that  minimize  optimal  performance, 

5.  Define  design  decisions  that  change  the  feasible  operation  of 
the  system, 

6.  Modify  Operator  and  Attacker  Models:  include  design  and  its 
effect  on  operations, 

7.  Formulate  tri-level  Defender  Model:  choose  best  design  in 
anticipation  of  a  worst-case  event. 
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Step  1:  Formulate  the  Operator  Model 


Indices  and  Sets 

n,  ij  E  N 
s,  t  G  A/ 

i'J]  e  E 

stations  (ordered  set  of  nodes) 
distinguished  start  and  end  stations 
undirected  edge  between  nodes  i  and  j; 
where  /'  <  _/,V[/,j]  E  E 

( iJ )  ^  A 

directed  arc  from  /  to  node  _/; 

M  €  E  /'  <  j  A  ((/J)  E  A  A  (j,  /)  E  A) 

Data  [units] 

Uij 

upper  bound  on  (undirected)  flow  on  edge 

FO]  €  E  [tons] 

Decision  Variables  [units] 

yij  directional  flow  of  cargo  on  arc  (/,_/')  E  A  [tons] 

yts  total  flow  through  network  from  s  to  t  [tons] 
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Step  1:  Formulate  the  Operator  Model 


RAIL-NET-CAPACITY 


max 

y 

yts 

(l) 

(  yts  n  =  s 

s.t. 

y"j  ~  yin  =  t  0  n  ^ s’ 1 

Vne  N 

(2) 

j-{nJ)&A  i:(i,n)£A  [  —yts  n  =  t 

yij  +  yy  <  uij 

V[/,7 ]  G  E 

(3) 

yu  >  o 

V(/,7)  e  A 

(4) 

yts  >  0 

(5) 
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Step  2:  Define  the  Events 


Event: 


The  simultaneous  damage  of  one  or  more  edges, 
x  =  {%},  [i:j]  E  E,  where 

Xjj  =  1  if  edge  [i,j]  E  E  has  been  damaged,  and  is  zero  otherwise. 


Example  Sets  of  Events: 
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Step  3:  Incorporate  Events  into  the  Operator  Model 
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Step  3:  Incorporate  Events  into  the  Operator  Model 


Introduction  Models  Analysis  Algorithms  Extensions  Conclusions  References 

OOOOOO  0000000000*0000000000  oooooooo  ooooooooo  oooo  ooo 


Step  3:  Incorporate  Events  into  the  Operator  Model 


This  leads  to  difficulty  in  maintaining  linearity  of  the  models. 
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Step  3:  Incorporate  Events  into  the  Operator  Model 


This  leads  to  difficulty  in  maintaining  linearity  of  the  models. 


Penalty-costs  in  the  objective: 

max  yts  — 
y 

2  O'/  +  yji)*ij- 

[iJ]£E 

If  an  edge  has  been  damaged,  any  flow  is  penalized  twice  what  it 
would  eventually  contribute  to  the  objective  via  yts. 
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Step  4:  Formulate  the  Attacker  Model 


New  Data 

atk_budget  max  hedges  targeted  in  an  attack 

New  Decision  Variables  [units] 

Xjj  =1  if  track  section  [/',_/]  e  E  is  attacked, 

=0  otherwise  [binary] 


The  simple  cardinality-based  attack  budget  generalizes  easily  to 
multiple  resource  costs  and  budgets. 
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Step  4:  Formulate  the  Attacker  Model 


ATTACK-RAIL-NET 

min  max  yts  -  Y  2  (ytj  +  yji)  Xjj  (6) 

[iJ]eE 

s.t.  (2),  (3),  (4),  (5) 

Xjj  <  atk .budget  (7) 

VJ]eE 

xj  €  {0, 1}  V[/ J]  €  E  (8) 
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Step  5:  Define  the  Design  Decisions 


def_costjj  cost  to  build  track  section  [/._/’]  £  E 
def_budget  total  budget  for  design 


deLcostjj  =  0  for  edges  that  already  exist. 
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Step  6:  Incorporate  Design  Decisions  into  the  Models 


For  any  w  £  A,  we  restrict  the  flows  in  the  network  to  edges  that 
have  been  built: 
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Step  6:  Incorporate  Design  Decisions  into  the  Models 


For  any  w  £  A,  we  restrict  the  flows  in  the  network  to  edges  that 
have  been  built: 


y-j  +  yji  <  uijwij  V[/,J]  e  E. 
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Step  6:  Incorporate  Design  Decisions  into  the  Models 


For  any  w  £  A,  we  restrict  the  flows  in  the  network  to  edges  that 
have  been  built: 


y-j  +  Yji  <  UijWij  V[/,j]  E  E. 
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Step  7:  Formulate  the  Defender  Model 


New  Data  [units] 

def_budget  defense  construction  budget  [$] 

deLcostjj  defense  construction  cost  of  track  section  [/'._/]  E  E  [$] 

New  Decision  Variables  [units] 

Wjj  =1  if  we  decide  to  build  track  section  [/  J]  e  E, 

=0  otherwise  [binary] 
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Step  7:  Formulate  the  Defender  Model 


DEFEN  D-R  AIL-NET 


max  min  max  yts  —  >  2  (y,-;  +  y/()  x;; 

w  x  y  ^ ^ 

VJleE 

s.t.  (2),  (4),  (5),  (7),  (8) 

(9) 

y  -,j  +  yji  <  UijWij 

V[/J]  G  E 

(10) 

Y  deLcostijWjj  <  deEbudget 

Me  e 

(11) 

wj  e  {0, 1} 

V[/j]  G  E 

(12) 
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Extension  to  Include  Defense  Options 


What  if  we  can  defend  an  existing  arc? 
(And  change  its  properties...) 
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Extension  to  Include  Defense  Options 


What  if  we  can  defend  an  existing  arc? 

(And  change  its  properties...) 

New  Indices  and  Sets 

d  G  D  defense  option  (for  each  configuration  of  an  edge) 

New  Data  [units] 

vf-  vulnerability  of  option  d  for  edge  [/’._/]  e  E 

u'jj  capacity  of  edge  [/',_/]  e  E  for  option  d  [tons] 

deLcosfjj  construction  cost  of  option  d  for  edge  [i,j]  €  E  [$] 

New  Decision  Variables  [units] 

yfj  flow  across  directed  arc  (/,_/)  e  A  under  option  d  [tons] 

w-j  =1  if  we  select  option  d  for  edge  [i,j]  e  E, 

=0  otherwise  [binary] 


Illustration  of  an  edge  with  three  defense  options  (arcs  shown 
one  direction  only). 
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Illustration  of  Defense  Options 


One  defense  option,  c/2,  has  been  selected  for  this  edge  (arcs  shown 
in  one  direction  only),  w?1  and  w are  both  zero.  All  flows  on 
this  edge  in  either  direction  will  use  the  second  set  of  parameters. 
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Defense  Options  Formulation 


DEFEN  D-R  AIL-NET 


maxmjnmyax  yts~  E  X!  (44 +  44)  x'j 

[ij]eEdeD 


(13) 


^  E 

deD 


(5),  (7),  (8) 

4+4  <  44 

V[/J]  g  E,d£  D 

(15) 

yfj  > 0 

V(/,j)  £  A,d  £  D 

(16) 

E  E  def-cost1j 

Wjj  <  deEbudget 

(17) 

dED  [/J]e£ 

E  4  = 1 

VM  €  E 

(18) 

deD 

4  e  {0, 1} 

V[/,i]  €  E,  d  £  D 

(19) 

E  4  -  E  4 

j'inJ)£A  i:(i,n)eA 


yts 

n  =  s 

0 

n  ^  s}t  Vn  G  A/ 

-yts 

n  =  t 
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Resilience  Curves 


The  points  about  resilience  we  want  to  emphasize  in  our  systems 
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Resilience  Curves 


The  points  about  resilience  we  want  to  emphasize  in  our  systems: 

Resilience  of  a  system  is  more  than  a  single  number, 

and 
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Resilience  Curves 
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A  resilient  system  can  handle  a  range  of  events. 
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Resilience  Curves 


The  points  about  resilience  we  want  to  emphasize  in  our  systems: 

Resilience  of  a  system  is  more  than  a  single  number, 

and 

A  resilient  system  can  handle  a  range  of  events. 


With  our  models,  we  conduct  a  parametric  analysis  on: 

a  the  number  of  defenses  we  can  afford  (or  the  defense  budget, 
more  generally) 

9  the  number  of  attacks  our  opponent  can  afford 

These  analyses  give  a  richer  representation  of  how  a  system  adapts 
its  operations  to  respond  to  a  variety  of  attacks,  and  how  we  can 
improve  those  responses. 
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Parameterizing  the  Number  of  Attacks 


Given  competing  designs,  we  can  use  a  parametric  analysis  of 
attacker  model  to  compare  those  designs  to  each  other. 
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Comparing  the  Resilience  of  Systems 


100 

\  * 

V  \ 

s  80 

'  s 

\  **•  \ 

<d  70 

U 

\ 

ro  oU 

E 

x  " '  m  \ 

o  50 

\  ** 

CL 

E  30 

<u 

H  20 

«/> 

10  ■ 

-  ♦  “System  A 

-  ■  -  System  B 

-  A  -  System  C 

— 

0  1  2  3  4  5 

Number  of  Damaged  (Lost)  Components 

Resilience  curves  for  three  notional  systems,  and  for  disruptions 
that  include  the  loss  of  up  to  5  components.  System  A  is  “more 
resilient”  than  System  B,  while  System  C  is  “less  resilient,"  for  this 
range  of  disruption. 
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Parameterizing  the  Number  of  Defenses  and  Attacks 


Each  level  of  defense  yields  a  different  resilience  curve,  and  we  ca 
plot  multiple  curves  to  evaluate  the  effectiveness  of  increased 
defensive  effort. 


Introduction  Models  Analysis  Algorithms  Extensions  Conclusions  References 

OOOOOO  OOOOOOOOOOOOOOOOOOOOO  0000*000  ooooooooo  oooo  ooo 


Resilience  Curves  for  Russian  Rail 


E 

3 

E 

’>< 

ro 


Number  of  Attacks 


Resilience  curves  showing  throughput  as  a  function  of  the  num 
of  attacks  for  varying  numbers  of  defended  rail  sections. 
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Analysis 


Once  we  have  the  models  built,  we  can  exercise  them  in  a  number 
of  ways,  and  present  the  results  graphically,  or  in  a  table,  or  even 
using  a  sequence  of  maps. 


We  represent  the  multidimensional  nature  of  “resilience”  for  a 
range  of  defender  and  attacker  capabilities  in  the  hopes  that  we 
can  inform  better  decision  making. 
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Attacker  Model  Results:  Power  System 


Component 

Name 

atk-cost 

1 

2 

3 

4 

5 

atk-budget 
6  7 

8 

9 

10 

11 

12 

Linel 

1 

X 

X 

Line2 

1 

X 

Substation  1 

2 

X 

X 

X 

X 

X 

X 

Substation  2 

2 

X 

Substation  3 

3 

X 

X 

X 

Substation  4 

3 

X 

X 

X 

X 

X 

X 

X 

Substation  5 

4 

X 

X 

X 

X 

X 

Substation  6 

2 

X 

X 

X 

X 

Substation  7 

3 

X 

Most-disruptive  interdictions  by  attack  budget. 
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Defender  Model  Results:  Power  System 


Component 

Name 

atk cost 

0 

def_budget 
12  3  4 

5 

Substation  1 

4 

X 

Substation  2 

3 

X 

0 

0 

0 

0 

0 

Substation  3 

2 

X 

Substation  4 

3 

X 

X 

X 

X 

X 

Substation  5 

2 

X 

0 

0 

0 

0 

Substation  6 

3 

X 

X 

X 

X 

0 

Substation  7 

2 

X 

X 

X 

0 

0 

Substation  8 

2 

X 

0 

0 

0 

Substation  9 

2 

X 

X 

X 

Substation  10 

2 

X 

X 

Substation  11 

3 

X 

Optimal  defensive  “hardening”  of  links. 
‘O’  =  defense, ‘X’  =  attack. 
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Solving  the  Tri-Level  Model 


How  do  we  unwind  the  min-max-min  structure  in  DAD(i/i/,  x, y)? 


min  max  min  f(w,x,y) 

wgW  xgX  y£Y(w) 
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X  is  a  finite  set  of  attacks 
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Solving  the  Tri-Level  Model 


How  do  we  unwind  the  min-max-min  structure  in  DAD(i/i/,  x, y)? 


min  max  min  f(w,x,y) 

wgW  xgX  y£Y(w) 


Observation 


X  is  a  finite  set  of  attacks 


Recourse- based  Reformulation 


Define  vectors  {yk},  where  each  yk  is  operator's  response 
(recourse!)  to  a  particular  xk  E  X. 
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Unwinding  The  Tri-Level  Model 


Reformulated  DAD(n/,x,y): 


z*  =  min  max  min  f(w.xk,yk ), 

w&W  x*gX  yk£Y(w) 


o  The  set  X,  though  finite,  can  be  enormous.  We’ll  overlook 
that  for  now... 

a  The  max  operator  is  over  the  (finite)  enumeration  of  all 
attacks,  and  each  attack  xk  has  a  separate  response,  yk . 
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From  Tri-Level  to  Bi-Level 


Practically  speaking,  this  means  we  can  exchange  the  order  of  the 
inner  two  operators,  at  the  cost  of  a  significant  increase  in  the 
number  of  variables. 
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Decomposition  Master  Problem 


If  we  only  enumerate  a  subset  of  the  attacks,  x1,  x2, . . . ,  xK ,  where 
K  «  |X|,  we  can  state  the: 
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Decomposition  Master  Problem 


If  we  only  enumerate  a  subset  of  the  attacks,  x1,  x2, . . . ,  xK ,  where 
K  «  |X|,  we  can  state  the: 


9  Optimal  solution  provides  a  lower  bound  for  DAD(w,x,y),  a 
feasible  design  wK ,  and  the  optimal  responses,  yk,  for  each 
attack  xk,  under  that  design. 
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Decomposition  Master  Problem 


If  we  only  enumerate  a  subset  of  the  attacks,  x1,  x2, . . . ,  xK ,  where 
K  «  |X|,  we  can  state  the: 


9  Optimal  solution  provides  a  lower  bound  for  DAD(w,x,y),  a 
feasible  design  wK ,  and  the  optimal  responses,  yk ,  for  each 
attack  xk,  under  that  design. 

9  For  any  fixed  design,  wK ,  solve  DAD(wK,x,y)  for  an  upper 
bound  on  DAD(  w,x,y),  the  resulting  optimal  attack,  xK+1, 
in  response  to  wK ,  and  a  new  cut  (DADC1). 
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Solving  the  Attacker  (Sub)problem 


Given  feasible  defense  w  from  DAD-Master,  we  need 
o  the  optimal  (worst-case)  attack  in  response,  and 
9  the  resulting  operating  cost. 
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Solving  the  Attacker  (Sub)problem 


Given  feasible  defense  w  from  DAD-Master,  we  need 
a  the  optimal  (worst-case)  attack  in  response,  and 
»  the  resulting  operating  cost. 

DAD  (w,x,y)  is  the  subproblem  for  our  decomposition  approach. 

max  min  f(w,x,y) 

xEX  yGV(iv) 


Attacker  Subproblem 
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Solving  the  Attacker  Subproblem 


If  the  Operator  Problem  is  a  Linear  Program: 
a  Benders  Decomposition 

a  taking  the  dual  of  the  Operator  Problem  (Yielding  a  pure  max 
ILP) 

Otherwise 

a  Decomposition  similar  to  DAD 

a  Heuristic  search  for  attacks  (Operator  Problem  to  evaluate) 

As  a  specific  example  of  the  latter,  we  could  use  random  sampling 
to  generate  disruptive  events  (attacks)... 
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Solving  the  Attacker  Problem  via  Random  Sampling 


10,000  random  attacks  on  the  Soviet  railway  compared  with  a 
worst-case  attack,  for  each  of  num_attacks  =  1,  2, . . . ,  7.  (Figure 
from  Alderson  et  al.  Alderson  et  al.  (2013),  Figure  5.) 
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Decomposition  Details 


a  The  master  problem  is  an  ILP  (binary  design  variables) 
a  The  subproblem  is  equivalent  to  an  ILP  (binary  attack 
variables) 
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Decomposition  Details 


»  The  master  problem  is  an  ILP  (binary  design  variables) 
a  The  subproblem  is  equivalent  to  an  ILP  (binary  attack 
variables) 


Standard  Benders  decomposition  might  cycle. 
But  with  only  a  finite  number  of  attacks... 
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Decomposition  Details 


9  The  master  problem  is  an  ILP  (binary  design  variables) 
9  The  subproblem  is  equivalent  to  an  ILP  (binary  attack 
variables) 


Standard  Benders  decomposition  might  cycle. 
But  with  only  a  finite  number  of  attacks... 


Solution  elimination  constraints  ^ 

x’j+ 

(»'J):*£= 0  (/>/):*£= 1 

V/c  =  1, . . 

• ,  K 

9  Add  these  to  the  subproblem,  and  you  are  guaranteed  to  get  a 
new  (possibly  suboptimal)  attack  in  each  iteration... 

9  ...  and  therefore  (eventually)  generate  every  cut  in  the  master. 
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Other  Solution  Options 


For  a  “small”  number  of  feasible  defenses  we  can  enumerate 
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o  can  also  enumerate  attacks  to  solve  the  subproblem 

9  be  careful  with 
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Other  Solution  Options 


For  a  “small”  number  of  feasible  defenses  we  can  enumerate: 
o  can  also  enumerate  attacks  to  solve  the  subproblem 

9  be  careful  with 

We  can  use  brute-force  enumeration  and  just  solve  a  large  number 
of  Attacker  Problems  (and  Operator  Problems),  or  we  can  try  to 
implement  special  master  problems  that  implicitly  enumerate 
defenses  (or  attacks). 


For  a  “small”  number  of  feasible  defenses  we  can  enumerate: 
o  can  also  enumerate  attacks  to  solve  the  subproblem 


9  be  careful  with 


We  can  use  brute-force  enumeration  and  just  solve  a  large  number 
of  Attacker  Problems  (and  Operator  Problems),  or  we  can  try  to 
implement  special  master  problems  that  implicitly  enumerate 
defenses  (or  attacks). 

9  Solution  elimination  constraints  (try  a  new  defense  at  each 
iteration) 


For  a  “small”  number  of  feasible  defenses  we  can  enumerate: 
o  can  also  enumerate  attacks  to  solve  the  subproblem 


9  be  careful  with 


We  can  use  brute-force  enumeration  and  just  solve  a  large  number 
of  Attacker  Problems  (and  Operator  Problems),  or  we  can  try  to 
implement  special  master  problems  that  implicitly  enumerate 
defenses  (or  attacks). 

9  Solution  elimination  constraints  (try  a  new  defense  at  each 
iteration) 

9  Set  covering  constraints  (defend  at  least  one  attacked 
component  in  each  attack) 
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Time-phased  Reconstitution  of  Components 
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Days  following  event 

Reconstitution  of  a  notional  system  following  two  different  events. 
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Number  of  Components  Targeted 


Top  five  rank-ordered  attacks  for  target  lists  containing  one 
three  components. 
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Stochastic  “Attacker”  Model 


If  events  that  modify  the  operational  setting  are  not  deliberate 
attacks,  but  random  events,  then  for  any  fixed  design  we  can 
evaluate  the  resilience  of  the  system  via: 


Ex 


min  f(w,  x,  y) 

yGV(w) 


where  x  e  X  is  a  random  event  drawn  from  the  set  of  events,  X, 
and  the  expectation  is  taken  over  a  known  distribution. 


The  set  X  can  be  parameterized  by  magnitude  of  the  events 
(similar  to  earthquakes,  hurricanes,  etc.),  and  resilience  curves  can 
be  plotted  for  these  models,  too. 
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Stochastic  Programs  with  Recourse 


If  we  wish  to  design  the  system  to  be  resilient  to  the  distribution  of 
events  from  X,  then  we  have 

min  Ej>  min  f(w,  x,  y)  , 

wen/  [ .yeY(w)  K  \ 

a  two-stage  stochastic  program  with  recourse,  with  design  w  as 
the  first  stage  decisions,  the  “attack”  x  as  the  random  realization, 
and  the  operations  y  as  the  recourse. 
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Building  the  Tri-Level  Model 


Our  seven-step  script  simplifies  to  a  sequence  of  three  models: 
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Our  seven-step  script  simplifies  to  a  sequence  of  three  models: 
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Building  the  Tri-Level  Model 


Central  to  all  of  these  models  is  an  operational  model  of  system 
operation: 

min  f(y). 

ye  Y 

But,  if  it  is  built  from  the  start  to: 
o  incorporate  design  options,  w,  and 
9  incorporate  the  setting,  x, 

To  yield: 

min  f(w,x,y), 

y£Y(w) 

then  the  remaining  modeling  effort  is  relatively  straightforward. 
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Some  Thoughts  on  Modeling 


min/?(w) 

meW  v  7 


minmaxgfw,*) 

weW  xeX  V  ' 

I 

min  max  min  f(w,x,v) 

weW  xeX  yeY(w)  v  '  7 

I  . 

max  min  f(w,x,y) 

xeX  yeY($y  V  ’ 


minis- \g(w9x)\ 

weW  *-  -* 

i 


min  E~ 

weJV  x 


min  f(w,x,v ) 

yer(ir) J  V  '  > 


t 


min  f(w,x,  yf 

ven-i)  V  '  ' 


min  f(w,x,y\ 

We  recommend  building  these  models  from  the  bottom  up,  on  this 
diagram.  The  “top  down"  approach,  if  done  carelessly,  leads  to 
many  (painful)  reformulations  along  the  way. 
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